Can't create a CosmosDB database using Python SDK 4.9.0

[tjprescott]

• Package Name: azure-cosmos
• Package Version: 4.9.0
• Operating System: Windows
• Python Version: 3.12.9

Describe the bug
I am trying to create a database programmatically using the azure-cosmos library. However, it consistently fails when I run client.create_database_if_not_exists(COSMOS_DB_NAME) with the following:

Code: Forbidden
Message: Request blocked by Auth archagent-cosmos : Request for Read DatabaseAccount is blocked because principal [ME] does not have required RBAC permissions to perform action [Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write] on any scope. Learn more: https://aka.ms/cosmos-native-rbac. This could be because the user's group memberships were not present in the AAD token.
ActivityId: 27fcabd9-22a8-476c-8bce-acac6ec1f94c, Microsoft.Azure.Documents.Common/2.14.0

I have to create the database using the Azure CLI (which uses azure-cosmos 3.2.0) and then it succeeds because the "if_not_exists" means the creation is skipped. It then proceeds to happily create the containers and let me access them. But the fact that nothing I have done allows me to programmatically create the database has been unbelievably frustrating. I have wasted days trying to figure this out and have finally given up, assuming the SDK is broken.

Prior to these steps, I already assign "Cosmos DB Operator" to the resource group and the "Cosmos DB Built-in Data Contributor" to the Cosmos DB account via RBAC role assignments.

To Reproduce
Steps to reproduce the behavior:
Using the CosmosDB SDK (4.9.0)

1. Create a resource group
2. Create a cosmos db account with disable_local_auth=True
3. Assign the random RBAC roles necessary. Force refresh the token and wait 10 min or so for roles to propagate.
4. Try to create the database. It fails. Wait. It fails. Use Azure CLI and it works!

Expected behavior
I expect it to not error out and work.

Additional context
Local auth must be disabled. Not sure why that would matter, but in case it does.

[seesharprun]

@markjbrown

@jaydestro

[tjprescott]

Chatting with @seesharprun the issue is that the data plane SDK does not work correctly with EntraID. The right solution moving forward is to use the azure-mgmt-cosmos library to create the database and containers. (Note that for some reason I can create the containers with the data-plane SDK, just not the database).

It might be worth adding a warning to this operation or deprecating it in favor of the management plane alternative. Also, the operation that the Azure CLI uses in version 3.2.0 looks identical to the current management plane call, which might explain why the CLI was successful where the Python SDK was not.

Huge thanks to @seesharprun for his insight into the issue!